PRIVACY STATEMENT ASSISTED SELF-HELP

Last updated: 07.09.2025

Assistert Selvhjelp AS (“Assistert Selvhjelp”) develops technology to create internet-assisted treatment that, in combination with professional content, can be used to develop “Coping Tools” and “Mapping Tools”. Assistert Selvhjelp is the data controller for the collection and use of personal data made via the websites assistertselvhjelp.no and trigga.no, and associated digital services (“Websites”). Collectively, the Websites, Coping Tools and Mapping Tools can be described as “Services”.

OUR PROCESSING OF PERSONAL INFORMATION

Assisted Self-Help processes personal data in accordance with this privacy statement and The service agreement (for Businesses).

This Privacy Policy describes what personal information we collect when you visit our Websites and/or use our Services, and how this information is processed. It also contains detailed information about our solutions and subcontractors. We have chosen to include this to ensure transparency.

All processing of personal data takes place within the framework of applicable laws and regulations. If we are legally required to disclose information to public authorities, this will be done in accordance with applicable requirements.

We collect personal data in order to perform tasks and services that we are required to perform by law, regulation and/or agreement. The processing is carried out in accordance with the Personal Data Act, which makes the EU General Data Protection Regulation (GDPR) applicable as Norwegian law.

Personal data may be shared with partners both within and outside the EU/EEA, if this is necessary to perform our tasks and services, and always in accordance with this privacy policy.

Information that is no longer necessary for the purposes for which it was collected will be deleted on an ongoing basis.

This Privacy Policy contains both general provisions that apply regardless of use, and specific sections that depend on how the Services are used. Before purchasing or using Services from Assisted Self-Help, we recommend that you familiarize yourself with the contents of this policy.

THE MOST IMPORTANT CASES OF PERSONAL DATA PROCESSING​

1. End users

End Users access our Services through a Business (for example, a healthcare provider or GP).

  • Assisted Self-Help does not store personal information that can directly identify you when you use the Service.
  • It may still be possible for a professional in the Business that gave you access to identify you.
  • When you first log in, you can choose whether you want to share your data with the Business. You can change this at any time under Settings, by granting or withdrawing access.
  • The purpose of data sharing is to provide you with the best possible follow-up.
  • As long as the professional can identify you, your registrations are considered personal data.
  • I Settings You can also view and delete your own data. Deletion also means that you lose access to the Service.
  • If you wish to remain completely anonymous, you can generate a new access code and end data sharing with the Business.

When you use the Service, we only store information that cannot directly identify you. This is ensured by:

  • gives you a unique and randomly generated access code (pseudo-ID)
  • never asks for your name, email, phone number or other identifying information
  • never facilitates the recording of identifiable personal data
  • actively encrypts and removes IP addresses, or ensures that they cannot be connected to other data

If you log in via external solutions (Helsenorge or Youwell), personal data is handled by these providers. Assisted Self-Help only receives a pseudo-ID that is used to grant you access.

Examples of information that is stored:

  • answers to questions and tasks about behavior, feelings, thoughts and experiences
  • what content you have viewed or completed
  • results from surveys (e.g. symptoms of anxiety or depression)
  • time of login and time spent
  • technical information such as clicks, browser, operating system (used for analysis and improvement)
  • evaluations and feedback you provide on the Service

Local storage

  • In some places in the Service, you can register your own responses that are stored locally on your device (browser/app).
  • These are stored encrypted, are not shared with Assisted Self-Help or a professional, and can only be viewed if you log in on the same device.
Purpose and legal basis
 
  • Legal basis:
    • GDPR Art. 9 No. 2 Letter h (healthcare services)
  • The purpose is to:
    • give you access to digital coping and mapping tools in a safe and user-friendly way
    • let you continue where you last left off
    • give you an overview of your registrations
    • ensure the best possible benefit from the Service, for example by highlighting relevant content
    • track your progress over time
    • facilitate that professionals (if you share data) can provide the best possible follow-up
    • ensure safety and stable operation
    • quality assurance, improvement and further development of the Services
    • give the Norwegian Institute of Public Health (NIP) access to anonymized datasets (statistics) as part of quality assurance

When you share data with a professional

If you share data with a professional in a business, your registrations are considered personal data because the professional can identify you.

The aim is for professionals to be able to:

  • track your progress and prepare for follow-ups
  • adjust workload between hours
  • assess the benefit and effect of the treatment

In some cases, the professional can complete the form directly in the system with you, or on your behalf by further agreement.

You decide:
  • When you first log in, you choose whether the business should have access to your data.
  • You can grant or revoke this access at any time under Settings.
  • If you do not consent, or do not respond, the professional will not have access to your data.

Time-limited consent:

  • After 22 weeks, you will be asked if you are still receiving follow-up.
    • "Yes" → new question after 22 weeks.
    • "No" → the business loses access.
  • Without a response within 26 weeks, the business will automatically lose access.
  • You can later grant access again if you wish.

LOGIN

From assistertselvhjelp.no / trigga.no

  • You log in with a unique code.
  • The business can store the code in your journal.
  • As long as the code can be linked to you via medical records, the data is considered personal data.

Anonymization and change of access code code:

  • You can use the Service completely anonymously or delete your data at any time.
  • Data that is not deleted is used as anonymous statistics.
  • You can also change the code in SettingsYou will then receive a new code, and the old one will become inactive.
  • When the code is changed and data sharing ends, the professional no longer has access. The data is then not considered personal data.

With app

  • Downloading Assisted Self-Help from the App Store or Google Play.
  • Log in with your code, or use "Automatic login" with biometrics or a code of your choice.
  • The code is only stored on your device.
  • You can receive notifications when the professional sends you content. These are handled via Google Firebase and are de-identified.

Via Norwegian Health Authority (NHN)

  • Login is done via Helsenorge.
  • Assisted Self-Help never gets your name, social security number or mobile number.
  • We only receive a pseudo-ID that gives you access.

Via Youwell (ID gateway)

  • Authentication is done via Youwell.
  • Assisted Self-Help does not receive a social security number or mobile number, only a pseudo-ID that is used for access.

SMS notification via Youwell

  • You can receive SMS notifications about appointments, surveys or tasks.
  • SMS is sent via Youwell.

Inspection and correction

  • Error registrations are usually of little importance, but can be reported via the feedback form after logging in.
  • Never provide your name or phone number on the form.
  • We cannot send confirmation back, but corrections are normally made within 7 business days.

Recommended procedure:

  • First, contact the company where you will be followed up. They can forward the inquiry without identifying you.
  • If you contact Assisted Self-Help directly, all communication with identifiable information will be deleted immediately after the request has been fulfilled.

Inquiries and feedback

  • You can provide input via "Suggest changes" or "Evaluation form" in the Service.
  • We do not store any personal information (such as name or IP address) when you use these features.
  • The purpose is solely to improve the Services.

For inquiries by email or via contact form:

  • Email is not encrypted. Do not send sensitive information.
  • The contact form requires an email address (in order to respond), but name and phone number are optional.
  • Messages are reviewed by the mail reception and routinely deleted if they contain sensitive personal information.

2. Private individuals

Individuals purchase access to the Services directly via our website, through a payment solution (e.g. Stripe).

  • Personal data in connection with payment is stored with the third-party provider of the payment solution.
  • Assisted Self-Help has neither a need nor a desire for this information, and we have ensured that personal and payment data are not linked to the use of the Service.
  • If you want a receipt, both Assistert Selvhjelp and Stripe must store your email address to send it. Assistert Selvhjelp deletes the email address once the receipt has been sent.
  • If you do not need a receipt, Assisted Self-Help has no access to personal information about you.

When you use the Service as a private individual, we only store information that cannot directly identify you. This is ensured by:

  • gives you a unique and randomly generated access code (pseudo-ID)
  • never asks for your name, email, phone number or other identifiable information
  • does not provide for the registration of personal data in the Service
  • actively encrypts and removes IP addresses, or ensures that they are not connected to other data

Examples of information that is stored:

  • answers and answer categories related to questions and tasks about behavior, feelings, thoughts and experiences
  • what content you have viewed or completed
  • results from assessment tools (e.g. symptoms of anxiety and depression)
  • time of login and time spent
  • technical information (clicks, browser, operating system) used for analysis and improvement
  • evaluations and feedback you provide on the Service

Local storage

  • In some places in the Service, you can register your own responses that are stored locally on your device (browser/app).
  • These are stored encrypted, are not shared with Assisted Self-Help or a professional, and can only be viewed if you log in on the same device.

Purpose and legal basis

  • Legal basis:
    • GDPR Art. 6 No. 1 Letter b (fulfillment of contract)
    • GDPR Art. 9 No. 2 Letter h (healthcare services)
  • The purpose is to:
    • provide you with access to the Service through purchases via a payment solution
    • deliver coping and mapping tools in line with the agreement
    • document purchases and be able to offer a refund
    • follow up on inquiries and rights related to the contractual relationship
    • ensure the operation, quality and further development of the Services

PAYMENT AND LOGIN

Payment with Stripe

  • When you purchase access, payment is handled by Stripe.
  • Stripe processes card information, cardholder name and which service you have purchased.
  • Assisted Self-Help never has access to card numbers. Stripe never has access to your access code or data you register in the Service.
  • Stripe only shares the IP address and the last four digits of the card number with us to document the purchase.
  • Stripe is the data controller for the payment solution itself.

Login with code

  • Access is gained with a unique code that is generated after payment is completed.
  • You can log in via the website or the app.

App and automatic login

  • Download Assisted Self-Help from the App Store or Google Play and log in with your code.
  • You can enable "Automatic login" with biometrics or a code of your choice.
  • The code is only stored locally on the device. Neither Assisted Self-Help nor others can see that it is stored.
  • Biometrics/code protects the app from unauthorized access to the device.

Change code

  • You can change the code below SettingsA new code is generated, and the old one becomes inactive.
  • When you change your code and no longer share data, your registrations are no longer considered personal data.

Storage and deletion

  • We retain personal information related to payment only for as long as necessary to provide the Service and document the purchase.
  • The information is deleted on an ongoing basis when the purpose has been fulfilled.
  • The access code is initially valid for five (5) years after creation or last use. If not used for five years, it will be automatically deactivated.
  • You can delete all data at any time via SettingsWhen this is done, you will lose login access and all data will be deleted from our systems.
  • Anonymized data that cannot be linked to you may be retained for analysis, improvement, and compilation of group data.

Access to your own information

  • Once you are logged in with your unique code, you have full access to all the information you have registered.
  • You can also request access to or correction of payment information. The communication log will be deleted once the request has been fulfilled.

Inspection and correction

  • Error registrations are usually of little importance, but can be reported via the feedback form after logging in.
  • Never provide your name or phone number on the form.
  • We cannot send confirmation that corrections have been made, but changes are normally made within 7 business days.

If you contact us directly:

  • Communications containing identifiable information are deleted immediately after the request has been fulfilled.

Feedback and inquiries

  • You can provide input via "Suggest changes" or "Evaluation form" in the Service.
  • When you do this, we do not store any personal information (such as your name or IP address).
  • The purpose is only to improve the Service.

By email or contact form:

  • Email is not encrypted. Do not send sensitive information.
  • The contact form requires an email address (in order to respond), but name and phone number are optional.
  • Enquiries are assessed by the mail reception and routinely deleted if they contain sensitive personal information.

3. Professionals and Businesses

Professionals are employees of a Business that provides the Services to End Users. (May also include administrative contact persons for the business).

  • An Enterprise can be a public organization, a company, or a private service provider (for example, a health service or GP).
  • Assisted Self-Help stores personal information about professionals to provide access to necessary functions in the Service, and to be able to follow up on the customer relationship.
  • The organization is responsible for keeping track of who has access. Defined professionals must ensure that access is updated and that corrections or deletions occur when necessary.

Assisted Self-Help collects and processes information from businesses and their professionals in order to identify, register and deliver the Services in accordance with the Service Agreement, as well as provide support.

Customer relations:

  • name of business
  • organization number
  • contact person for customer relations
  • email, phone number, etc.

Professionals:

  • first name and last name
  • workplace and position
  • phone number
  • email address
When logging in via ID-porten or HelseID, the social security number is registered directly with the provider that offers the login service. At Assistert Selvhjelp, the social security number is stored exclusively in hashed form, and there are no situations where it is stored or processed in clear text.

Purpose and legal basis
  • Legal basis: GDPR Art. 6 No. 1 Letter f (legitimate interest).
  • Purpose:
    • enter into and manage customer relationships
    • secure the operation and use of the Services in businesses
    • generate economic activity
    • safeguard and strengthen the company's reputation
    • handle support and inquiries from customers and partners

Use of the information

  • Registered email addresses may be used to send updates and important information. We will only send information that is deemed relevant.
  • When providing support and inquiries, employees at Assistert Selvhjelp may need to see information registered about the customer relationship.
  • All employees have signed a confidentiality and non-disclosure agreement.

LOGIN

Login via HelseID / Youwell

  • Professionals can log in via HelseID (NHN) or via the ID-porten (Youwell), depending on the organization's choice.
  • Information such as name, social security number and mobile phone number is processed here for authentication.
  • To manage access with HelseID, Assisted Self-Help stores the social security number in hashed form. This ensures that the social security number cannot be recovered.
  • When logging in via Youwell, Assisted Self-Help only receives a pseudo-ID, and never the actual social security number or mobile number.

Special agreements
Processing of personal data related to specific services and products may be regulated in:

  • The service agreement between Assisted Self-Help and the business
  • any special agreements that are entered into

Inspection and correction

  • Businesses and professionals can, upon request, access all personal data registered about them.
  • If the information is incorrect or irrelevant, they may request correction or deletion, unless statutory requirements prevent this.
  • Certain information (such as contact information, order and invoice history) may be retained if this is necessary to safeguard legal rights or documentation requirements.
  • For such inquiries, the contact form on the website can be used.

Inquiries and feedback

  • Professionals can provide input through the "Suggest Changes" and "Evaluation Form" functions after logging in. These are used only to improve the Services.
  • Enquiries by email or via contact form may be stored, but email is not encrypted. Do not send sensitive or confidential information via email.
  • The contact form requires an email address (in order to respond), while name and phone number are optional.
  • Enquiries are assessed by the mail reception and routinely deleted if they contain sensitive personal information.

COMPANY'S RESPONSIBILITY

Identification of end users

  • Businesses have access to a view of end users via pseudo-ID
  • If an end user actively consents to sharing, the business also gains access to registrations made in the Service.
  • Consent is given upon first login or later via Settings – and can be withdrawn at any time. The end user can also delete data and terminate the Service.
  • Records are considered personal data as long as they can be linked to the end user through additional information (e.g. if the pseudo-ID is stored together with medical record information).
  • Only the business has access to such additional information and decides who should have access.
  • The business is responsible for ensuring adequate security measures when using additional information, cf. the data processing agreement.

Business obligations

  • The business must always have at least one defined employee as a super user responsible for keeping track of professionals with access to the Services.
  • Professionals who should no longer have access must be deactivated.
  • If Assisted Self-Help becomes aware of incorrect contact information, it will be updated using public registers (number information services and the Brønnøysund registers).
  • Upon termination of a customer relationship, personal information registered with Assistert Selvhjelp will be deleted immediately.

YOUR RIGHTS AND OUR HANDLING OF INFORMATION

As a registered user, you have a number of rights under the privacy regulations. Here you will find a summary of the most important ones, as well as how we protect your information.

Your rights

  • You can ask for insight in what information we have about you, why we use it, who it is shared with and how long it is stored.
  • You can request that we corrects or updates incorrect or incomplete information.
  • You can ask for deletion of information when it is no longer necessary, when consent is withdrawn, or if the information has been processed unlawfully.
  • You can ask us limit processing of your information, for example if you believe it is incorrect and we need to investigate further.
  • In certain cases, you have the right to data portability, i.e. to have the information provided in a machine-readable format or to transfer it to another provider.
  • You can protest against information being used if the processing is based on legitimate interests or public tasks.
  • You can always complaint to the Norwegian Data Protection Authority if you believe that we are processing information in a way that violates the regulations.

How we protect information

  • All communication and data storage is encrypted (TLS/SSL), and passwords are stored with secure algorithms.
  • We collect least possible identifiable informationFor end users, only anonymous codes are used, and we use hashing of IP addresses to prevent identification.
  • In rare cases, IP addresses may be used temporarily for troubleshooting purposes, but are deleted immediately afterward.
  • If a problem occurs security breach, we notify both those affected and the Norwegian Data Protection Authority within the applicable deadlines (72 hours).

Analysis and alerting

  • We use Plausible Analytics to collect visitor statistics on our websites. No personal data is collected.
  • Let's Encrypt ensures encryption of communication.
  • Google Firebase used for notifications in the app (e.g. when the professional posts new content). The information is de-identified.

Third-party features

In some cases, we may use third-party providers (e.g. Stripe for payment or other technical services). Their privacy policies also apply, and we recommend that you familiarize yourself with these before sharing information.

Assistert Selvhjelp uses the following subcontractors to operate and deliver the Services. These subcontractors process personal data only on behalf of Assistert Selvhjelp, and are not entitled to use the data for their own purposes.

Operation and storage

  • North Lo – server operation and storage in Norway (Vennesla and Haugesund).
  • Microsoft (Azure / Office 365) – data center operations and internal support tools.
  • Google Workspace – email and external communication.

Authentication and login

  • Norwegian Health Network (NHN) – delivers HelseID as authentication solutions for login and access to services via Helsenorge.no.
  • Youwell – platform for ID-porten login and SMS notification when Services are offered via a processor.

Payment

  • Stripe – payment solution for individuals who purchase access to the Services.

Finance and accounting

  • Aider AS – accountant for Assisted Self-Help.
  • Xledger – accounting system for customer relations, accounting and auditing.

Operation and error handling

  • Sentry – tools for monitoring and troubleshooting digital solutions.

Transfer of personal data to third countries (outside the EU/EEA)

As a general rule, all information is stored and processed in Norway or the EU/EEA. In a few cases, we use subcontractors outside the EU:

Permanent developer in Turkey

  • We employ a permanent developer in Turkey for technical maintenance and bug fixes.
  • The developer does not have permanent access and is only granted access in very rare cases (normally no more than 5 times per year).
  • All access is logged and documented by our security officer.
  • The developer can then process the pseudo-ID or temporarily view IP addresses when troubleshooting, but these are processed completely isolated from other personal data, and are deleted immediately after use.
  • The developer never has access to directly identifiable information about end users. 
  • Professionals who use HelseID: Personal identification numbers are always stored with salted hashing.
  • The access is strictly controlled and regulated through the EU's Standard Contractual Clauses (SCC, module 3) and a separate Transfer Impact Assessment (TIA) that assesses the risk as low.

Other subcontractors (USA)

Some technical providers have servers outside the EU, e.g.:

  • Google (email, cloud storage)
  • Microsoft (office support)
  • Sentry (troubleshooting tool)
  • Stripe (payment solution)

These suppliers participate in Trans-Atlantic Data Privacy Framework between the EU and the US, which provides binding rules for the protection of personal data from the EU.

Important to know

  • No personal data is transferred to third parties without your explicit consent.
  • If a subcontractor transfers data to its own agents, this must occur within the same regulations (Trans-Atlantic Data Privacy Framework) and with the same security guarantees

 

End users, private individuals, as well as businesses and their employees who use the Services accept that Assistert Selvhjelp reserves the right to make changes to the Privacy Policy on an ongoing basis.

Assistert Selvhjelp is obliged to notify End Users, Private Persons, as well as Businesses and their employees of significant changes that affect them. Material changes include any matter that restricts rights, or that otherwise changes the obligations or rights of the parties.

Possibility of appeal

If you believe that we are processing your personal data in a way that violates the regulations, you have the right to complaint to the Norwegian Data Protection AuthorityWe would still appreciate it if you would contact us first so that we can correct any errors.

Changes from version published 16.01.2025 to version published 07.09.2025:

  • We have made the content shorter and more clear for the different target groups.
  • We have removed “Philippines” from the list of countries where we have “Subcontractors outside the EU”.
  • We have added a description for optional login options (HelseID/Helsenorge.no or IDporten), where authentication is done by subcontractors (Norsk Helsenett or Youwell AS).

Changes from version published 22.01.2024 to version published 16.01.2025:

  • We have entered into a cooperation agreement with Sandnes Municipality regarding the delivery of Trigga.no. Assistert Selvhjelp is now the data controller for the collection and use of personal data made via this website.
  • Removed description about access from Helsenorge.no, as this option is not currently offered.
  • Removed “Vietnam” from the list of countries where we have “Subcontractors outside the EU”.
  • Removed Conta as a subcontractor (for Businesses only).
  • We have added Sentry as a subcontractor – relevant for Businesses: Sentry is used as a tool for monitoring and troubleshooting our digital solutions. This means that technical information about errors and performance data can be collected to improve the user experience and ensure stable operation of our services. Sentry stores information on servers they operate, and the data which is being treated may include the professional's email, but is limited to what is necessary to identify and correct errors. 

Changes from version published 21.11.2023 to version published 22.01.2024:

  • The title of the previous point "Fixed developers outside the EU" is replaced by the title "Subcontractors outside the EU".
  • In Subcontractors outside the EU, we have updated the text referring to the current agreement for the transfer of information between the EU and the US – from “Privacy Shield – Safe harbor” to “Trans-Atlantic Data Privacy Framework”.

Changes from version published 05.12.2022 to version published 21.11.2023:

  • The title of the previous point "Subcontractors outside the EU" is replaced by the title "Fixed developers outside the EU".
  • We have added Turkey as a local location for non-EU developers.

Changes from version published 16.05.2022 to version published 05.12.2022:

  • We have made minor changes to the text to make the Data Processor Agreement easier to read. 
  • We have updated the names of G Suite, which is now called Google Workspace and Tet Regnskap, which is now called Aider AS.
  • We have collected descriptions of functions for website analysis, encryption and notifications in the app.
  • We have updated the local location for developers outside the EU.

Changes from version published 08.12.2021 to version published 16.05.2022:

  • We have updated subcontractors (Nordlo)
  • Plausible replaces Google analytics
  • We have developed functionality for varling in the App. We have therefore added information aimed at end users who log in via AssistertSelvhjelp.no and Helsenorge.no. 

Changes from version published 02.09.2021 to version published 08.12.2021:

  • We have developed functionality for “Automatic Login” using biometrics and/or a self-selected code to protect access to the App. We have added information aimed at End Users who log in via AssistertSelvhjelp.no and Helsenorge.no, as well as information for Private Individuals.

Changes from version published 27/11/2020 to version published 02/09/2021:

  • We have changed the duration of consent to share data with businesses from 14 to 26 weeks. This has been done on the basis of feedback from several Companies, where consent is terminated before the user has finished follow-up, for example in connection with holiday processing. End users can nevertheless withdraw consent from settings at any time. 

Changes from version published 05/05/2020 to version published 27/11/2020:

  • We have reduced the amount of text and made the content more clear. This has been done on the basis of feedback from several businesses.
  • We switched during the 1st quarter of 2020 from Digitalocean (Amsterdam, The Netherlands) to Dedia AS (Oslo, Norway), but are now switching back. The background is that this will reduce vulnerability related to geo-redundancy, as Dedia AS uses the same data center as our main server (Syse AS). The server providers are within the EU where the EU's personal data protection regulation (GDPR) applies.
  • IP addresses are encrypted and/or removed so that these are not linked with other data. We specify that we may need to remove the encryption temporarily. The purpose is to prevent/block/prevent common cyberattacks that can affect most websites. Should this become necessary, the IP address will still not be linked to other registered data that is stored separately.
  • We have added information aimed at End Users who log in via Helsenorge.no, and Professionals who log in with Health ID.